From a22e4dfb0dfb042c80da9c44a3e5178f06cfc4d6 Mon Sep 17 00:00:00 2001 From: striven-prevailed <sg.striven@cutecat.club> Date: Thu, 06 Nov 2025 13:54:47 +0000 Subject: [PATCH] Describe UPlay R1, Spring --- 02_internals_of_hyperscape/01_entrypoint.md | 26 +++++++++++++++++++++----- 1 files changed, 21 insertions(+), 5 deletions(-) diff --git a/02_internals_of_hyperscape/01_game_files.md b/02_internals_of_hyperscape/01_entrypoint.md similarity index 64% rename from 02_internals_of_hyperscape/01_game_files.md rename to 02_internals_of_hyperscape/01_entrypoint.md index 27de547..abca818 100644 --- a/02_internals_of_hyperscape/01_game_files.md +++ b/02_internals_of_hyperscape/01_entrypoint.md @@ -1,4 +1,14 @@ -# Internals of Hyperscape: Game Files +# Internals of Hyperscape: Entrypoint + +## Information String + +| Property | Value | +|------------|----------------------------------------------| +| Version | `tucert_Y01S03_C6101049_D1004780_S6167_123` | +| Built | `Mon Mar 29 20:20:36 2021 UTC` | +| Exeuctable | `scimitar_engine_win64_2017_flto_vulkan.exe` | + +The information for this wiki concerns this version of HyperScape. ## `Hyperscape.exe` @@ -21,15 +31,21 @@ | Certificate | `WinAuth(2.0)[PKCS #7]` | ### Launching the Game -Because the game is normally distributed with BattlEye, the following game flags are required to pass into the executable: `-eac_launcher /belaunch -be` in order to mod the game. +Because the game is normally distributed with [BattlEye](https://www.battleye.com/), the following game flags are required to pass into the executable: `-eac_launcher /belaunch -be` in order to disable the anti-cheat in the game. -Currently, the only known way of launching the game and being able to attach debuggers and inject dynamic libraries is to use **LumaPlay**, which hijacks [UbiServices](../03_ubisoft_services/03_rest_endpoints.md) APIs to prevent usual restrictions like owning the game from preventing the launch. +The game also handles game license checks through [Ubisoft Connect](https://www.ubisoft.com/en-us/ubisoft-connect) (Formerly known as, and in the game files as, 'UPlay'). Check out the [uplay_r1](./02_uplay_r1.md) page for more information on how this works and how to bypass this restriction. ### Dumping Imports +The game executable is obfuscated with [VMProtect](https://vmpsoft.com/) v3.20-v3.5.0, but critical game functions are not. + A tool like [VMP3 Import Fix](https://github.com/KuNgia09/vmp3-import-fix) can be used to dynamically fix imports and export a much more manageable executable for reverse-engineering with a decompiler like IDA or Ghidra. +Note that many lower level functions and especially IO-related procedures remain obfuscated. + ### Debug Builds No debug builds are currently known of the game itself, however debug builds and PDBs of libraries like RendezVous have been leaked and have been instrumental in further understanding the game. -> [!NOTE] -> TODO: Explain further \ No newline at end of file +### Client Modifications +The game has additional protections against using [`VirtualProtect`](https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect) (Although, earlier versions of the game, for example from Season 1, appear to have this protection removed). + +Bypassing this restriction either involves using `VirtualProtect` from an external process to mark all pages as writable and executable, or removing this protection entirely by running code before the game starts. -- Gitblit v1.10.0